1235 matches found
Authentication Bypass
github.com/mellium/sasl is vulnerable to authentication bypass. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty causing authentication to fail in the best case, which may lead to...
mellium.im/sasl authentication failure due to insufficient nonce randomness
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
GHSA-GVFJ-FXX3-J323 mellium.im/sasl authentication failure due to insufficient nonce randomness
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
CVE-2022-48195
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
CVE-2022-48195
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
Authentication flaw
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
CVE-2022-48195
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
Mellium vulnerable to authentication failure or insufficient randomness used during authentication
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty. This causes authentication to fail in the best case, but if paired...
CVE-2021-4238 Insufficient randomness in github.com/Masterminds/goutils
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by...
CVE-2021-4238 Insufficient randomness in github.com/Masterminds/goutils
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by...
PT-2022-8301 · Unknown · Morgawr Muon
Name of the Vulnerable Software and Affected Versions: Morgawr Muon version 0.1.1 Description: A vulnerability has been found in Morgawr Muon, classified as problematic. It affects an unknown functionality of the file src/muon/handler.clj, leading to insufficiently random values. The attack can b...
Fedora 35 : nodejs (2022-de515f765f)
The remote Fedora 35 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-de515f765f advisory. November 2022 Security Updates https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ---- September Security Updates for Node.js...
Fedora 36 : nodejs (2022-52dec6351a)
The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-52dec6351a advisory. November 2022 Security Updates https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ---- September Security Updates for Node.js...
Insecure Randomness
Overview Affected versions of this package are vulnerable to Insecure Randomness in the Request function, which uses cryptographically insecure random numbers. Remediation Upgrade DNS to version 7.0.0 or higher. References - GitHub Commit - GitHub PR...
Ubuntu: Security Advisory (USN-5770-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
USN-5770-1 gcc-5, gccgo-6 vulnerability
Todd Eisenberger discovered that certain versions of GNU Compiler Collection GCC could be made to clobber the status flag of RDRAND and RDSEED with specially crafted input. This could potentially lead to less randomness in random number generation...
PYSEC-2022-42997
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator...
DEBIAN-CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
CVE-2022-35255 describes a weakness in Node.js 18 WebCrypto key generation where EntropySource() is invoked but its return value is not checked, and the data returned may not be cryptographically strong. The underlying issue occurs in SecretKeyGenTraits::DoKeyGen() and can lead to weaker key mate...